Canonical rules for building SvelteKit fullstack applications. Every execution-agent MUST respect the server/client boundary, fetch data via `load` functions, mutate via form `actions`, and use file-based routing. **Base axiom:** SvelteKit's value comes from a hard server/client boundary expressed through file naming (`+page.server.ts` is server-only; `+page.ts` is universal; `.svelte` is the client component). A file's name is its contract — leaking a secret across that boundary is a one-edit security failure that lints often do not catch. So every authoring decision starts from «which boundary owns this concern?», not from «where is this convenient?». Scope: routing structure, data flow (load + actions), server hooks, page options, adapters. Out of scope: rune-level component authoring (covered by `svelte5-runes`) and TS-level conventions (covered by `typescript-rules`). - ai/directives/coding/typescript-rules.xml - ai/directives/coding/svelte5-runes.xml Routes are declared by directory structure under `src/routes/`. A path like `src/routes/user/[id]/+page.svelte` exposes `/user/:id`. Manual route tables, parallel router libraries, or imperative `Router` mounting are forbidden — they fork the source of truth for which URL renders what. Layout wrappers via `+layout.svelte` / `+layout.server.ts` / `+layout.ts`. Nested layouts compose; siblings do not. The file name decides where the code runs: - `+page.server.ts`, `+layout.server.ts`, `hooks.server.ts`, anything under `$lib/server/` — **server-only**. Allowed to read filesystem, talk to databases, use private env. - `+page.ts`, `+layout.ts`, `.svelte` (instance script + template) — **universal/client**. MUST be safe to ship to the browser. Private secrets (`$env/static/private`, `$env/dynamic/private`) MUST NOT be imported from universal/client files. The toolchain refuses such imports at build time — agent's job is to keep the import graph clean from the start, not to rely on the compile error as the only guardrail. Data needed to render a route is fetched in `load()` — universal in `+page.ts` / `+layout.ts`, server-only in `+page.server.ts` / `+layout.server.ts`. The return shape becomes `data` on the page (`let { data } = $props()`). Forbidden as default: calling `fetch` from a component `

{data.product.name}

Viewer: {data.viewer?.email ?? 'anonymous'}

``` Component receives `data` via `$props()` (single Svelte 5 destructure); the `PageData` type is generated by SvelteKit from the matching server load. Inside `+page.svelte`: `$effect(() => { fetch('/api/products').then(r => r.json()).then(items => products = items); });` to populate the initial product list. Component-level fetch for initial data (`AX_SK_DATA_VIA_LOAD`). Loses SSR (page renders empty, then flickers), bypasses framework `invalidate()` / `depends()`, runs in the browser only — server-side rendering benefit gone. Cannot use private credentials or `locals`. Move fetch into `+page.server.ts`: `export const load: PageServerLoad = async ({ fetch }) => ({ products: await (await fetch('/api/products')).json() });`. Component reads `data.products` via `$props()`. `+page.ts` (universal) starts with `import { DATABASE_URL } from '$env/static/private';`. Private env imported into a universal/client module (`AX_SK_SERVER_CLIENT_BOUNDARY`). Build refuses to bundle it; even if it slipped through (e.g., via dynamic require), the secret would be shipped to the browser bundle. Boundary violation is a security failure, not a stylistic one. Move the consumer to `+page.server.ts` or `$lib/server/...`; expose only the derived value the client legitimately needs through the load return. In a form action: `if (!email) throw new Error('Email required');` Action throws instead of returning `fail()` (`AX_SK_VALIDATION_AT_ACTION_BOUNDARY`). Surfaces as a 500 with the framework's error page; the form loses its inputs; the user has no recoverable UI state. `fail()` is the contract channel for recoverable validation rejection. `return fail(400, { email: '', error: 'Email is required' });` — page re-renders with `form.error` visible and inputs preserved. Inside `+page.server.ts`: `const res = await fetch('http://localhost:3000/api/products');` (the global `fetch`). Global `fetch` from a server load (`AX_SK_FETCH_FROM_LOAD_USES_SDK_FETCH`). Loses request context (cookies, headers), forces a real network hop for internal API routes that SvelteKit would have resolved in-process, and hard-codes the origin. Destructure the SDK-provided `fetch`: `export const load: PageServerLoad = async ({ fetch }) => { const res = await fetch('/api/products'); ... };`. Relative URLs resolve to the current origin; cookies propagate. `svelte.config.js` sets `kit: { prerender: { entries: ['*'] }, csr: false }` to disable SSR/CSR project-wide. Page options globalized into framework config (`AX_SK_PAGE_OPTIONS_PER_ROUTE`). Discards per-route trade-offs — a marketing landing page that benefits from prerender forces the same on dynamic dashboards. Hidden behavior at the framework level surprises every later contributor. Per-route in the relevant `+page.ts`: `export const prerender = true;` for static pages; leave dynamic routes default. Generate route types and run Svelte-aware type-check; catches private-env-in-client violations. npx svelte-kit sync && npx svelte-check --tsconfig ./tsconfig.json Exit 0; no errors. Production build verifies SSR, adapter, and boundary violations the dev server tolerates. npm run build Exit 0. Smoke-grep for private env imported from universal/client files. find src -type f $ -name '*.svelte' -o -name '+page.ts' -o -name '+layout.ts' $ -print0 | xargs -0 grep -nE "\\\$env/(static|dynamic)/private" || true Empty output. Matches must move to `+page.server.ts` / `+layout.server.ts` / `$lib/server/`. Smoke-grep for likely global `fetch(` in server load files (manual review of matches). find src/routes -type f $ -name '+page.server.ts' -o -name '+layout.server.ts' $ -print0 | xargs -0 grep -nE '(^|[^.])fetch\(' || true For each match: confirm it is the SDK-provided `fetch` destructured from the load event, not the global `fetch`. Detect direct `fetch('/api/...')` calls inside `.svelte` files used to populate initial data. find src/routes -name '*.svelte' -print0 | xargs -0 grep -nE "fetch\(['\"]/" || true Each match must be either an explicit progressive-update path with no server data dependency, or migrated to a `load` function. ✅ Data fetched via `load` (server or universal); component-level fetch reserved for genuine progressive updates. ✅ Mutations go through form `actions` with `

`; recoverable rejection via `fail()`; success via `redirect()`. ✅ Server/client boundary respected by file naming; private env imported only in server-only files. ✅ SDK-provided `fetch` used inside `load` / `actions`; global `fetch` not used for in-app routes. ✅ Cross-cutting auth/request enrichment in `hooks.server.ts`; downstream code reads `event.locals` only. ✅ Page options (`ssr`, `prerender`, `csr`) per-route, not globalized. ✅ Route types from `./$types`; ambient types in `src/app.d.ts`. ✅ Explicit adapter chosen for production builds. ❌ Component-level fetch to populate initial render data. ❌ Private env (`$env/static/private`, `$env/dynamic/private`) imported in `+page.ts` / `+layout.ts` / `.svelte`. ❌ Form action throwing arbitrary errors instead of returning `fail()`. ❌ Global `fetch` used inside a load / action when the SDK `fetch` is available. ❌ Page options globalized in `svelte.config.js`. ❌ Hand-rolled route types; bypassing `App.Locals` / `App.PageData` for ambient extensions. ❌ Production build relying on `adapter-auto`.